The arrival of October on our calendars is the perfect reminder to check how well your digital assets are protected. Initiated 18 years ago, Cybersecurity Awareness or National Cybersecurity Month was created to encourage businesses to review their firewalls, anti-virus protection, and even remote access policies. One area often overlooked in cybersecurity awareness is the focus on user authentication policies—especially Multi-factor Authentication (MFA). This is becoming even more relevant due to a growing number of employees in a hybrid work environment. Too many businesses remain comfortable with using just the traditional username and password approach to authentication.
This kind of complacency can be compared to leaving your door key under the welcome mat. Someone, in this case, the intruder, knows the fastest and easiest way to ‘get in’ is often through the access points we seem to ignore or are most comfortable.
Assuming the intruder won’t find your ‘hidden’ door key under the mat equates to the same thinking that an email hacker won’t be able to crack the code on a password that is actually the word ‘password’ written on a sticky note left on the computer keyboard.
A 2020 study on password and authentication discovered that 67% of organizations require a periodic password change, and 65% prohibited password reuse. Over 60% had a minimum password length, but only 36% required a password manager. According to the study, employees continue to write passwords on sticky notes and use the same password on up to 10 accounts. In some cases, individuals even shared their credentials with others.
Traditional credential processes put your organization at risk. That’s why government and industry agencies recommend using multi-factor authentication (MFA) technology to provide a stronger security posture.
What is Multi-Factor Authentication?
Multi-factor authentication (MFA) is a security system that requires user credentials to come from at least two of the following categories:
- A user-generated code such as a password or PIN
- A program-generated code that appears on user property such as a smart card or phone
- A biometric recognition process such as voice recognition or fingerprints
MFA implementations may use two (2FA) or three (3FA) categories for authentication. Whether 2FA or 3FA, the added credentials make for a more secure environment.
How Does Multi-Factor Authentication Work?
Most implementations use 2FA authentication. In a two-category deployment, a secure password is entered with a username. Once the user passes the initial log-in, the second form of identification is requested. The second method may be a security code sent to a smartphone or email address associated with the account. Sending the code to user-owned devices satisfies the second category requirement.
The second authentication method assumes that a hacker cannot access the device and complete the authorization process. Trying to spoof a randomly generated code is more difficult than compromising a password. An alternative to the random code is a biometric requirement. For this category, fingerprints, retina scans, or voice recognition can serve as user-specific identification.
However, no authentication process is 100% effective. Anything can be compromised, given enough time. For example, emails and SMS can be intercepted. Biometrics can be hacked; even the authenticating applications can be compromised. Organizations should not reduce their security programs when upgrading to MFA. The technology is a tool that works in conjunction with a well-designed cybersecurity plan to protect digital assets.
Why is Multi-Factor Authentication Important?
Microsoft reports that over 99.9% of account compromise attacks can be prevented with MFA. Given that 63% of data breaches can be traced to poor credential hygiene, adding a step to authentication only makes business sense. After all, the cost of a breach can cripple an organization. According to IBM’s latest data breach report, businesses continue to feel the effects of a cyberattack two years after the compromise. Immediate expenditures cover detection, escalation, and notification, but longer-term costs include response and remediation.
Response and Remediation
The financial impact of the response and remediation phase is the most significant, primarily because it results in a loss of business. As IBM reports, financial losses come from the following:
- Downtime – Business disruption can cost millions. A recent study found that an hour of downtime can cost a small business between $80,000 and $260,000 per hour.
- Lost Business – About 56% of consumers will stop doing business with a company after a cyberattack.
- New Customers – Factoring in the cost of acquiring new customers only adds to the financial burden of a data breach.
Depending on the industry, post-response penalties can be severe. Businesses that accept online payments may incur per-transaction penalties if they are found to be out of compliance. Then, there are fines for violating consumer privacy laws if personal data is taken. As the report highlights, the public relations costs can drag on for years as companies try to ensure consumers and partners that their data is safe.
Remote workers pose a serious threat to cybersecurity unless employers have a strong authentication process. Companies have little control over the security of at-home workers. How many devices use the same router? Has the password been changed from the default? For the most part, employers must depend on the security awareness of employees.
Hackers are trolling the internet looking for weaknesses that will allow them to compromise a corporate system. With employees working from home or the local coffee shop, data is passing over an unsecured home or public network. Cybercriminals can easily extract credentials without anyone knowing they even tried.
Organizations should be asking themselves how they determine employees are actually who they say they are. Anyone can use someone’s username and password to gain access, but it’s more difficult to enter a passcode or fingerprint without the individual being present. MFA is one method for knowing that employees are who they say they are.
How Does MFA Strengthen Cybersecurity?
MFA methodologies check user identities every time they log in from a different device. The process reduces the risk of compromised user credentials being used. Access is not granted unless users supply a passcode or use a fingerprint. Reducing the risk of compromised user credentials means minimizing the odds of a data breach. According to Google, adding MFA can prevent over 95% of bulk phishing attempts and over 75% of targeted attacks. Multi-factor authentication can help reduce:
- 81% of breaches are the result of credential theft
- 73% of passwords are used for more than one account
- 50% of employees use shadow apps
So, what cyber tricks do hackers use to gain access to user credentials?
Hackers send messages to a list of email addresses or phone numbers with a call to action (CTA) at the end. The CTA requires users to go to a fake website to enter their usernames and passwords. Cybercriminals now have access to credentials that can log them into one or more systems.
Similar to phishing, spear phishing targets a specific group using personalized messages. Hackers comb social media accounts and websites to learn more about the targeted individuals. When ready, they begin a campaign that leads to credential theft. The more data they have, the more trustworthy the communication appears.
Cybercriminals install programs to capture keystrokes from the user’s computer. These programs capture everything from usernames and passwords to domain names and IP addresses. If the target is a privileged user, these bad actors can access an entire infrastructure.
Hackers know that people reuse their usernames and passwords. As a matter of course, they use the stolen credentials to access other programs and sites. Merely watching social media accounts enables bad actors to guess where stolen credentials may be valid.
Brute Force and Counter Brute Force Attacks
Brute force attacks may lack finesse, but they can be effective. Cybercriminals deploy password-generating software that tries thousands of possible passwords in seconds. The program is looking for common credentials such as password123 to gain access to a system.
These attacks use a third-party connection to get to a specific user. Whether they observe interactions or redirect connections, the bad actors are waiting for people to enter their login information.
Cybercriminals are not lacking tools that compromise user credentials. If sophisticated enough, they might try to access a phone’s SIM card or decrypt a private connection. MFA technologies can eliminate most attempts at credential compromise, reducing the chance of a data breach or ransomware attack.
Available Multi-Factor Authentication Tools
There’s no shortage of MFA tools to help deploy the added credential security. Although most solutions target businesses, individuals can improve their security through MFA tools. MFA tools prevent internal theft, external threats, and data loss through various methodologies. For example:
- Risk-based software uses factors such as IP address, domain reputation, device posture, and geolocation to assess user authentication risks.
- Passwordless software is a form of MFA that can be used for authentication, using alternative factors for a user-generated component.
MFA can be sold as an endpoint solution or as a cloud-based service. Businesses may consider identity and access management (IAM) software or customer-based identity and access management (CIAM) solutions.
Finding the right tools for your business depends on many factors:
- Security levels – Some solutions offer different authentication requirements based on user privilege, for example. Remote workers may have added security requirements to protect against identity theft. The right solution depends on what an organization requires. However, the practice of least privilege should be followed.
- Ease of use – No matter how good a solution is, it won’t be if it is difficult to use. Some software may have such complex security level settings that administrators end up giving everyone the same access, violating the best practice of least privilege.
- Existing workflows – Most organizations have some form of credential security. If the MFA solution disrupts workflows, employees become frustrated, and productivity declines. Make sure that the tool offers a method that minimizes disruption, so employees are more willing to adapt to the change easily. .
- Cost – MFA solutions, enterprise-wide endpoint implementations, and cloud-based deployments can vary in cost, based on features, the number of users, and on-premise vs. cloud deployments.
There’s no single right MFA tool, however, all tools should minimize the risk of credential compromise. The challenge is knowing which tools would work best for your specific business needs when it comes to your cybersecurity protection.
While the overall threat of hacks is always looming, however, there are fast and relatively easy steps you can take today to shore up your vulnerabilities. We’d love to help you determine how to best improve your overall cybersecurity preparedness.
Let’s talk about your needs and how to make sure cybercriminals don’t find the proverbial key left under the mat to gain access to your business when they should permanently be locked out.